CVE-2024-27317
📋 TL;DR
This CVE describes a directory traversal vulnerability in Apache Pulsar Functions Worker where authenticated users can upload malicious JAR/NAR files containing path traversal sequences (like '..') in filenames. When extracted, these files can be written outside the intended directory, potentially allowing file creation/modification anywhere the process has write permissions. This affects Apache Pulsar versions 2.4.0 through 3.2.0 with Functions Worker enabled.
💻 Affected Systems
- Apache Pulsar Functions Worker
- Apache Pulsar Broker with functionsWorkerEnabled=true
📦 What is this software?
Pulsar by Apache
Pulsar by Apache
Pulsar by Apache
Pulsar by Apache
Pulsar by Apache
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could write arbitrary files to any location the Pulsar process has write access to, potentially leading to remote code execution, system compromise, or data manipulation.
Likely Case
Attackers could overwrite configuration files, inject malicious code, or disrupt Pulsar operations by manipulating files in the system.
If Mitigated
With proper network segmentation and least privilege, impact would be limited to the Pulsar application environment rather than full system compromise.
🎯 Exploit Status
Exploitation requires authenticated access to upload function files. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.6, 2.11.4, 3.0.3, 3.1.3, 3.2.1
Vendor Advisory: https://pulsar.apache.org/security/CVE-2024-27317/
Restart Required: Yes
Instructions:
1. Identify your Pulsar version. 2. Upgrade to the patched version for your release line: 2.10.x → 2.10.6+, 2.11.x → 2.11.4+, 3.0.x → 3.0.3+, 3.1.x → 3.1.3+, 3.2.x → 3.2.1+. 3. Restart Pulsar services after upgrade.
🔧 Temporary Workarounds
Disable Functions Worker
allIf Functions Worker functionality is not required, disable it to eliminate the attack vector.
Set functionsWorkerEnabled=false in broker.conf
Restrict Function Uploads
allImplement network controls to restrict which users/systems can upload functions.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pulsar instances from sensitive systems
- Run Pulsar with minimal privileges and in a containerized environment with restricted filesystem access
🔍 How to Verify
Check if Vulnerable:
Check if Pulsar version is in affected range and Functions Worker is enabled in configuration.Check Version:
pulsar-admin version or check Pulsar server logs for version informationVerify Fix Applied:
Verify upgraded version is at or above patched versions: 2.10.6, 2.11.4, 3.0.3, 3.1.3, or 3.2.1.📡 Detection & Monitoring
Log Indicators:
- Unusual function upload activity
- Errors during file extraction
- File operations outside expected directories
Network Indicators:
- Unexpected function upload requests
- Traffic to Functions Worker endpoints from unauthorized sources
SIEM Query:
source="pulsar" AND ("function upload" OR "jar upload" OR "nar upload")🔗 References
- http://www.openwall.com/lists/oss-security/2024/03/12/10
- https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
- https://pulsar.apache.org/security/CVE-2024-27317/
- http://www.openwall.com/lists/oss-security/2024/03/12/10
- https://lists.apache.org/thread/ct9xmvlf7lompc1pxvlsb60qstfsm9po
- https://pulsar.apache.org/security/CVE-2024-27317/
